Need for a Risk-Based Approach
There is no "silver bullet" that will solve all security-related problems. Unfortunately, FISMA isn’t about solving security problems, but about measuring compliance with standards.
While this reporting process gives Congress and the general public a bit of reassurance that the government "knows what’s going on" with its computer systems, I argue that it’s not addressing the real problems.
Security is about achieving the right balance between data security and data access. To achieve FISMA compliance, your agency must do these things:
- Plan for security
- Ensure that appropriate officials are assigned security responsibility
- Periodically review IT security controls
- Authorize system processing prior to operations and periodically thereafter
When implementing FISMA requirements, there needs to be a proper perspective and understanding of risk management, which is not built into the FISMA process at all.
Risk management is part of the C&A methodology, but it has been overshadowed by the need to "check off all the boxes" for FISMA. A low score can severely impact an agency’s reputation and threaten the jobs of those who are responsible. The CIO may even have to testify before Congress to explain poor performance. Worst of all, the Office of Management and Budget (OMB) might delay or cancel funding for agency programs.
Unfortunately, a survey of security officers conducted in August 2005 found that agencies are spending more time complying with FISMA each year. Taking away funding for cash-starved programs will not improve security in any way!
Add to this all the new mandates coming from OBM (OMB 06-16, OMB 07-11) and you end up with continually increasing workload, no proper prioritization, and lower budgets. This is a recipe for security disaster. OMB has a history of passing down new requirements, with very short time-frames for implementation. There’s no discussion of priority or understanding of risk-based management.
OMB 06-16 required agencies to do the following:
- Encrypt all data on mobile computers/devices that carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing.
- Allow remote access only with two-factor authentication in which one of the factors is provided by a device separate from the computer gaining access.
- Use a "time-out" function for remote access and mobile devices requiring user reauthentication after 30 minutes of inactivity.
- Log all computer-readable data extracts from databases holding sensitive information and verify that each extract including sensitive data has been erased within 90 days or its use is still required.
I don’t have a real problem with the requirements listed above. I have a problem with the timeline: "Please ensure these safeguards have been reviewed and are in place within the next 45 days."
This was a totally unrealistic timeline for implementation, not to mention that there was no additional funding provided to the agencies to meet this goal. This is generally referred to as an "unfunded mandate," and only serves to increase the workload and funding problems already being experienced across government.